From Mageia wiki
Jump to: navigation, search
(Obtaining Consent)
(Obtaining Consent)
 
Line 174: Line 174:
  
 
Consent is not the only way to get the right to use personal data. We can also invoke:
 
Consent is not the only way to get the right to use personal data. We can also invoke:
- The execution of a contract. But do we really have a contract with the members? I don't think so.
+
* The execution of a contract. But do we really have a contract with the members? I don't think so.
- Our legitimate interest. But as we are not a commercial company, we doesn't need to earn money, we haven't to fight competitors, our development is public. It is difficult to say data is needed on the basis of our legitimate interest.
+
* Our legitimate interest. But as we are not a commercial company, we doesn't need to earn money, we haven't to fight competitors, our development is public. It is difficult to say data is needed on the basis of our legitimate interest.
- The legitimate interest of the member. It could be valuable for the age.
+
* The legitimate interest of the member. It could be valuable for the age.
- To face legal obligations. Which one?
+
* To face legal obligations. Which one?
  
 
As we need very few data, ask consent is probably the most simple way to get the agreement, and an unquestionable one. Nevertheless, we can write that extra data could be used on the basis of the other methods.
 
As we need very few data, ask consent is probably the most simple way to get the agreement, and an unquestionable one. Nevertheless, we can write that extra data could be used on the basis of the other methods.

Latest revision as of 19:02, 27 May 2018

To be completed....


Generalities

Affected people

The GDPR (General Data Protection Regulation), effective from the 25th of May 2018, sets new requirements for organisations that collect, store or process personal information about EU citizens.
Our association, Mageia.org, and all of the Mageia community who are EU citizens/residents will need to comply with GDPR. This article proposes an approach to compliance.
I suspect we don't have people under 15. If we have, just let me know, but I hope not.

Personal data

This is any kind of data which can be used to identify a particular individual (the 'data subject'). Even if some data, on its own, is unable to be used to identify someone - it is still considered personal if it could feasibly be used in combination with other data to do so.

The data is classed as either:

  • Ordinary (non-sensitive): name, first name, date of birth, phone number ....
  • Special (sensitive): religion, sexuality, political or union activities,...

Special data is subject to stricter conditions for its use and security. I hope Mageia doesn't need sensitive data.

Processing data

As with the scope of personal data, the range of what could constitute processing is also very broad. Essentially, any act performed on the data qualifies as processing. Collecting, recording, organising, storing, modifying, combining, consulting, publishing, using, erasing, and destroying data are some common examples of processing.

Shared information

I know we sometimes share information and/or data with other organizations like Fedora, KDE, ... May this information include personal data? To be discussed.

How far must we go?

As always with the law, rules are written in very general terms, what is "a level of security appropriate to the risk"? or "the measures strictly necessary and suitable to the context"?
About our privacy notice, we must for sure meet the sections 2.1.1, 2.1.2, 2.1.3 and 2.1.5. The section 2.1.4 is less rigid and allows arrangements. The register could be more simple (without the "Effects on individuals" column) or more complex, I don't know where the border is. To be discussed.

Difficulties

  1. Volunteers working for Mageia use their laptops at home, on the train, in stations, at meetings or exhibitions.... I think we should write an official set of guidelines to follow if we might have other people's personal data on our laptops or are likely to display such data on-screen. To be discussed.
  2. Many individual's computers are used simultaneously for Mageia and other things (downloading, access on the cloud, ...). How to be confident that the safety rules are respected? To be discussed.
  3. Is it possible that commands like journalctl, dmesg, bug, ... give answers with embedded personal data? I think yes, so we must list all of them and quote them in the consent as personal data that can be published in bugzilla, forums, ml, ...

Things to do

Develop a Data Protection Policy and write a Privacy Notice

We must describe which data we need, and why. We need to explain how we use and store such data, and how we proceed to keep it safe.

Data processed by Mageia

Data asked by Mageia depends on the asked services, it is for example:

  • Name,
  • First-name,
  • Pseudonym for Mageia,
  • Date of birth (or the promise to be over 15),
  • e-mail,
  • preferred language (or country)
  • Internet: IP, Connection times
  • Phone number, (for the board members)
  • Address (for the board members)
  • else? (Cookies?)

All these data are kept as long as the membership lasts, they are totally erased when the member leaves Mageia.

Why we need these data

  • Name, first-name and pseudonym for identification in Bugzilla, Mageia Wiki, Forums, mailing lists, and all Mageia developer tools. Name and first-name may be published by some tools like Bugzilla.
  • Date of birth is necessary to check the age, (how to check that the given date is valid?...)
  • e-mail is used for the forum, mailing lists, ......to complete
  • Preferred language is required to adopt the language used wherever possible - it overrules the browser settings.
  • Phone number and address are optional for members that accept responsibilities
  • All personal data can be used for troubleshooting purposes via some commands.
  • else?

Safety

https://www.cnil.fr/sites/default/files/atoms/files/cnil_guide_securite_personnelle_gb_web.pdf

I think we are already good at network security and at securing the servers and websites. It is more difficult for the clients scattered all over the world.

Dispositions (to be detailed by hardware and location):

  • The data stored on a computer is protected by a password (other protections anti-hacking?)
  • Use of firewall and anti-virus
  • Password policy (e.g. 8 characters long including 3 out of 4 types of characters: uppercase, lowercase, numbers, special characters).
  • Update policy for the sensitive computers?
  • Temporary lock-down of the account after several failed attempts,
  • Is the data encrypted?
  • If it may happen that somebody carries a laptop with the data stored on it, explain how the safety of the data is ensured.
  • The data is securely deleted from hardware before it is discarded.
  • The data is never shared, sold or transferred to other organizations or subcontractors (If it is true)

Logs

  • Logging and incident management measures must be stored in secure logs for 3 to 6 months.

About people

  • Each user is authenticated
  • Who can read the data? We must manage the list of people who have access to the data.
  • Do we need an IT charter or/and a confidentiality agreement for those responsible for handling personal data?

Actions in the event of a data breach

  • Warn the CNIL
  • Warn the members and ask them to change their password.
  • Else?

Security of personal data

We don't need a Privacy Impact Assessment (PIA) as we don't handle sensitive data, but we are a "large" organization (several thousands of members I think), so we need a small study.

Listing the processing

and the media on which they rely

Software processing is applied to data in order to allow:

  • creation of an account
  • access to the tools (Bugzilla, Mageia Wiki, Forums, mailing lists, and all Mageia developer tools)
  • the administrative management of Mageia (Mageia.org board tools)
  • public consulting of the Mageia databases (different lists, Mageia books)
  • automatic update
  • automatic messages (mgaaplet)
  •  ?

Assessing the risks

generated by each processing operation.

Main threats

Identifying the possible threats, what could allow each feared event (the risk) to occur?

Severity and Likelihood

Example of a scale: negligible, moderate, significant and maximal.

Register

https://www.cnil.fr/sites/default/files/atoms/files/cnil_guide_securite_personnelle_gb_web.pdf

To formalise this consideration, We could here write and keep a register, a (digital) card for each data processing or a table:

Processing Data Risks (sources) Main threats "Effects on individuals Measures Severity Likelihood
Creation of an account Name, firstname, date of birth, pseudo Spyware, Poor password, laptop let alone Identity theft, unwanted modification of data Encryption, internal rules Significant Negligible
" " A glimpse caught of a screen Train, exhibitions, laptop let alone Identity theft Internal rules Significant Negligible
.... .... .... .... .... .... .... ....

Not sure if we need the columns in red.

Enquiries or complaints from the members

We must define by what means a member can exercise his/her rights:

  • Right to consult
  • Right to request the rectification
  • Right of erasure
  • Modify the consent

All relevant information about rights management must be easily found in such places where a person can subscribe to or contact Mageia.

Obtaining Consent

We must ask for, and store each members consent to our use of their personal data. For that, the members have to read our Policy and affirm that they understand and agree to its conditions. We must also ensure that the member is older than 15. Consents are stored as long as the membership lasts.
This rule also apply to old members, so we need to work out a full list of all people of whom we have personal data.

About the donors, today we ask them to say if they want to remain anonymous. With GDPR, I think we should ask them to say they agree that their name is published.

Consent is not the only way to get the right to use personal data. We can also invoke:

  • The execution of a contract. But do we really have a contract with the members? I don't think so.
  • Our legitimate interest. But as we are not a commercial company, we doesn't need to earn money, we haven't to fight competitors, our development is public. It is difficult to say data is needed on the basis of our legitimate interest.
  • The legitimate interest of the member. It could be valuable for the age.
  • To face legal obligations. Which one?

As we need very few data, ask consent is probably the most simple way to get the agreement, and an unquestionable one. Nevertheless, we can write that extra data could be used on the basis of the other methods.

DPO

It is advised to name a DPO (Data Protection Officer), in French DPD (Délégué à la Protection des Données).

DPO responsibilities:

Although it is not mandatory, we still need someone to do the job

Implement our Policy

Modifications of websites, tools, procedures, ....

We need a designated and secure place:

  • to store the consents (as long as the membership lasts)
  • to store the personal data (as long as the membership lasts)
  • to store the logs about the logging and incident management measures (for 3 to 6 months).

We must modify some web pages to add a link towards the Policy and the complaints procedure.

A link could be also useful in the Wiki page "Mageia.org user account"
Lastly, add an entry in the Mageia.org statutes identifying the name and position of the person in charge of the GDPR compliance.

What about the other communities

Fedora: http://fedoraproject.org/wiki/User:Pfrields/NewPrivacyPolicy-20180525
Ubuntu: Nothing found
Debian: https://blog.liw.fi/posts/2017/10/10/debian_and_the_gdpr/
Framasoft: Nothing found
Nui.fr (OpenSuse): https://nui.fr/blog/declaration-de-confidentialite/
KDE: Nothing found
Red Hat: https://www.redhat.com/en/about/privacy-policy

Links

The Law

http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/fr/pdf/

French CNIL

https://www.cnil.fr/fr/principes-cles/rgpd-se-preparer-en-6-etapes
https://www.cnil.fr/fr/cnil-direct/thematique/143
https://www.cnil.fr/sites/default/files/atoms/files/cnil_guide_securite_personnelle_gb_web.pdf
https://www.cnil.fr/sites/default/files/atoms/files/cnil_guide_securite_personnelle.pdf

English-French glossary

https://www.cnil.fr/en/english-french-glossary-data-protection

GDPR and Associations

https://www.solidatech.fr/consulter/a-la-une/rgpd-mettez-vous-en-conformite-avec-le-nouveau-reglement
https://www.assoconnect.com/articles/22226-rgpd-ce-que-ca-change-pour-les-associations

GDPR and Open Source

https://opensource.com/article/18/4/gdpr-impact
https://opengdpr.org/

Miscellaneous

https://onetrust.com/cnil-six-step-guide-gdpr-preparation/
https://ico.org.uk/for-organisations/resources-and-support/getting-ready-for-the-gdpr-resources/
https://ec.europa.eu/info/law/law-topic/data-protection_en